Most corporate risk management programs overlook the biggest risk of all
Company risk management programs that don’t address ESG are missing the point entirely and overlooking the gravest risk we’ve ever faced.
By AnsaradaThu Feb 23 2023Security and risk management, Governance Risk and Compliance, Environmental Social and Governance
Every day, business leaders make risk decisions to achieve better outcomes for their businesses, from expansion to revenue and growth.
Risk underpins reward. You can’t find success without a degree of risk, the same way it’s impossible to win a game without playing it.
No organization is exempt from governance, risk & compliance (GRC); there’s no such thing as a risk-free business after all. But all risks need to be holistically considered and controlled as part of your risk management program.
Where do you draw the line between operational business risks and significant global risks like climate change?
In short: You don’t.
In the World Economic Forum’s Global Risks Perception Survey 2021-2022, the top three most severe global threats identified over the next 5-10 years were environmental risks. Climate action failure received the highest response rate, followed by extreme weather and biodiversity loss.
So where are these global risks on the corporate risk agenda?
According to Michael Rasmussen, the problem with most organizations’ risk management agendas is that they fail to look beyond their own backyard. They might focus undue attention on a single pressing risk - IT security as one example.
While cybersecurity failure is represented in the Global Risks Perception Survey in the short term - coming in seventh place within 0-2 years and eighth place within 2-5 years - it pales in comparison to the environmental risks which dominate the long-term global risks horizon. And these are the ones still missing from most enterprise GRC agendas.
At its core, environmental, social and governance (ESG) is the identification of risks (and opportunities) that will help an organization achieve its sustainable impact objectives. It is simply another set of risks and compliance requirements that feeds into your integrated GRC strategy - although admittedly a highly complex one.
Whether due to this complexity or other factors, ESG risk is too often treated as an external problem, beyond the scope of the corporation’s responsibility.
That mindset is shifting. New regulatory requirements are bringing fresh urgency to addressing ESG risks. Recent years have seen a surge in regulations around ESG issues, most notably the EU Sustainable Finance Disclosure Regulation (SFDR) and the Task Force on Climate-related Financial Disclosures (TCFD) recommendations. Within recent months, we’ve also seen the German Supply Chain Due Diligence Act (enforced from January 1st, 2023) and amendments to the Senior Managers and Certification Regime (SMCR) that will hold companies and individuals accountable for ESG risks across their supply chains.
To address ESG risks and comply with regulatory requirements, organizations need to integrate ESG considerations into their risk management programs. This requires a shift in mindset and a change in the way risk is perceived. Instead of focusing solely on operational risks, businesses need to adopt an integrated risk environment that includes global risks like climate change.
We live in a globally connected society, and risks have a trickle down effect. An organization might track their own health and safety risks, but may have little to no view of impacts further down their supply chain, like concerns with modern slavery or child labour.
Modern business leaders have to understand these risk relationships; managing an interconnected risk environment in silos fails to address the underlying issues that are impacting our global society and putting the planet - and all its inhabitants - at risk.
It's no longer just about the decisions that governments make, but what corporations can do proactively. Companies that lead the way in prioritizing ESG initiatives will come out on top in a world where values are already shifting dramatically.
Operational resilience is another term (and set of current and emerging regulatory requirements) that has been steadily gaining traction since the pandemic.
Integrating ESG considerations into risk management programs is not just about compliance and avoiding negative consequences. It is also about building resilience and creating long-term value for the organization. A recent study by Harvard Business Review found that companies with strong sustainability practices outperform their peers financially and are more resilient in the face of disruptive events.
By addressing ESG risks, businesses can build resilience and prepare themselves for a changing world. This includes developing strategies to mitigate the impact of climate change, transitioning to a low-carbon economy, and addressing social and governance risks. By doing so, businesses can create value not just for their shareholders, but for all stakeholders, including employees, customers, and society as a whole.
Businesses need to take ESG risks seriously and integrate them into their risk management programs. This requires a shift in mindset, a change in the way risk is perceived, and a commitment to creating long-term value for the organization and society. By doing so, businesses can build resilience, comply with regulatory requirements, and prepare themselves for a changing world. But they need the right tools for the job.
Risk underpins reward. You can’t find success without a degree of risk, the same way it’s impossible to win a game without playing it.
No organization is exempt from governance, risk & compliance (GRC); there’s no such thing as a risk-free business after all. But all risks need to be holistically considered and controlled as part of your risk management program.
Where do you draw the line between operational business risks and significant global risks like climate change?
In short: You don’t.
Climate risks dominate long-term risk horizon
In the World Economic Forum’s Global Risks Perception Survey 2021-2022, the top three most severe global threats identified over the next 5-10 years were environmental risks. Climate action failure received the highest response rate, followed by extreme weather and biodiversity loss.
So where are these global risks on the corporate risk agenda?
According to Michael Rasmussen, the problem with most organizations’ risk management agendas is that they fail to look beyond their own backyard. They might focus undue attention on a single pressing risk - IT security as one example.
While cybersecurity failure is represented in the Global Risks Perception Survey in the short term - coming in seventh place within 0-2 years and eighth place within 2-5 years - it pales in comparison to the environmental risks which dominate the long-term global risks horizon. And these are the ones still missing from most enterprise GRC agendas.
The role of GRC in delivering ESG
At its core, environmental, social and governance (ESG) is the identification of risks (and opportunities) that will help an organization achieve its sustainable impact objectives. It is simply another set of risks and compliance requirements that feeds into your integrated GRC strategy - although admittedly a highly complex one.
Whether due to this complexity or other factors, ESG risk is too often treated as an external problem, beyond the scope of the corporation’s responsibility.
That mindset is shifting. New regulatory requirements are bringing fresh urgency to addressing ESG risks. Recent years have seen a surge in regulations around ESG issues, most notably the EU Sustainable Finance Disclosure Regulation (SFDR) and the Task Force on Climate-related Financial Disclosures (TCFD) recommendations. Within recent months, we’ve also seen the German Supply Chain Due Diligence Act (enforced from January 1st, 2023) and amendments to the Senior Managers and Certification Regime (SMCR) that will hold companies and individuals accountable for ESG risks across their supply chains.
To address ESG risks and comply with regulatory requirements, organizations need to integrate ESG considerations into their risk management programs. This requires a shift in mindset and a change in the way risk is perceived. Instead of focusing solely on operational risks, businesses need to adopt an integrated risk environment that includes global risks like climate change.
Risk management programs are missing the big picture
We live in a globally connected society, and risks have a trickle down effect. An organization might track their own health and safety risks, but may have little to no view of impacts further down their supply chain, like concerns with modern slavery or child labour.
Modern business leaders have to understand these risk relationships; managing an interconnected risk environment in silos fails to address the underlying issues that are impacting our global society and putting the planet - and all its inhabitants - at risk.
It's no longer just about the decisions that governments make, but what corporations can do proactively. Companies that lead the way in prioritizing ESG initiatives will come out on top in a world where values are already shifting dramatically.
ESG risk management will help create resilient businesses
Operational resilience is another term (and set of current and emerging regulatory requirements) that has been steadily gaining traction since the pandemic.
Integrating ESG considerations into risk management programs is not just about compliance and avoiding negative consequences. It is also about building resilience and creating long-term value for the organization. A recent study by Harvard Business Review found that companies with strong sustainability practices outperform their peers financially and are more resilient in the face of disruptive events.
By addressing ESG risks, businesses can build resilience and prepare themselves for a changing world. This includes developing strategies to mitigate the impact of climate change, transitioning to a low-carbon economy, and addressing social and governance risks. By doing so, businesses can create value not just for their shareholders, but for all stakeholders, including employees, customers, and society as a whole.
Inaction on ESG is no longer an option
Businesses need to take ESG risks seriously and integrate them into their risk management programs. This requires a shift in mindset, a change in the way risk is perceived, and a commitment to creating long-term value for the organization and society. By doing so, businesses can build resilience, comply with regulatory requirements, and prepare themselves for a changing world. But they need the right tools for the job.
GRC is how ESG gets done
If you’re still using spreadsheets for risk and compliance management, you’re putting your business at risk. A GRC management system allows you to identify risks, controls and responsibilities so you can achieve your objectives and build resilience.
